4.9-stable patches

added patches:
	alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
	alsa-aloop-mark-paused-device-as-inactive.patch
	alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
	alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
	ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
	input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
	input-leds-fix-out-of-bound-access.patch
	net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
	rdma-cxgb4-release-hw-resources-on-device-removal.patch
	rdma-mlx5-protect-from-shift-operand-overflow.patch
	rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
	tracepoint-do-not-warn-on-enomem.patch
	xfs-prevent-creating-negative-sized-file-via-insert_range.patch

diff --git a/queue-4.9/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch b/queue-4.9/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
new file mode 100644 (file)
index 0000000..875d353
--- /dev/null
+++ b/queue-4.9/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
@@ -0,0 +1,112 @@
+From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 30 Apr 2018 10:06:48 +0200
+Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
+
+Some control API callbacks in aloop driver are too lazy to take the
+loopback->cable_lock and it results in possible races of cable access
+while it's being freed.  It eventually lead to a UAF, as reported by
+fuzzer recently.
+
+This patch covers such control API callbacks and add the proper mutex
+locks.
+
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc
+ {
+       struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+       
++      mutex_lock(&loopback->cable_lock);
+       ucontrol->value.integer.value[0] =
+               loopback->setup[kcontrol->id.subdevice]
+                              [kcontrol->id.device].rate_shift;
++      mutex_unlock(&loopback->cable_lock);
+       return 0;
+ }
+ 
+@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn
+ {
+       struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+       
++      mutex_lock(&loopback->cable_lock);
+       ucontrol->value.integer.value[0] =
+               loopback->setup[kcontrol->id.subdevice]
+                              [kcontrol->id.device].notify;
++      mutex_unlock(&loopback->cable_lock);
+       return 0;
+ }
+ 
+@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn
+       int change = 0;
+ 
+       val = ucontrol->value.integer.value[0] ? 1 : 0;
++      mutex_lock(&loopback->cable_lock);
+       if (val != loopback->setup[kcontrol->id.subdevice]
+                               [kcontrol->id.device].notify) {
+               loopback->setup[kcontrol->id.subdevice]
+                       [kcontrol->id.device].notify = val;
+               change = 1;
+       }
++      mutex_unlock(&loopback->cable_lock);
+       return change;
+ }
+ 
+@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn
+                              struct snd_ctl_elem_value *ucontrol)
+ {
+       struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+-      struct loopback_cable *cable = loopback->cables
+-                      [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
++      struct loopback_cable *cable;
++
+       unsigned int val = 0;
+ 
++      mutex_lock(&loopback->cable_lock);
++      cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+       if (cable != NULL) {
+               unsigned int running = cable->running ^ cable->pause;
+ 
+               val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+       }
++      mutex_unlock(&loopback->cable_lock);
+       ucontrol->value.integer.value[0] = val;
+       return 0;
+ }
+@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_
+ {
+       struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+       
++      mutex_lock(&loopback->cable_lock);
+       ucontrol->value.integer.value[0] =
+               loopback->setup[kcontrol->id.subdevice]
+                              [kcontrol->id.device].rate;
++      mutex_unlock(&loopback->cable_lock);
+       return 0;
+ }
+ 
+@@ -966,9 +977,11 @@ static int loopback_channels_get(struct
+ {
+       struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+       
++      mutex_lock(&loopback->cable_lock);
+       ucontrol->value.integer.value[0] =
+               loopback->setup[kcontrol->id.subdevice]
+                              [kcontrol->id.device].channels;
++      mutex_unlock(&loopback->cable_lock);
+       return 0;
+ }
+ 

diff --git a/queue-4.9/alsa-aloop-mark-paused-device-as-inactive.patch b/queue-4.9/alsa-aloop-mark-paused-device-as-inactive.patch
new file mode 100644 (file)
index 0000000..8355dcf
--- /dev/null
+++ b/queue-4.9/alsa-aloop-mark-paused-device-as-inactive.patch
@@ -0,0 +1,59 @@
+From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001
+From: Robert Rosengren <robert.rosengren@axis.com>
+Date: Mon, 26 Mar 2018 07:24:49 +0200
+Subject: ALSA: aloop: Mark paused device as inactive
+
+From: Robert Rosengren <robert.rosengren@axis.com>
+
+commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream.
+
+Show paused ALSA aloop device as inactive, i.e. the control
+"PCM Slave Active" set as false. Notification sent upon state change.
+
+This makes it possible for client capturing from aloop device to know if
+data is expected. Without it the client expects data even if playback
+is paused.
+
+Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_p
+               cable->pause |= stream;
+               loopback_timer_stop(dpcm);
+               spin_unlock(&cable->lock);
++              if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++                      loopback_active_notify(dpcm);
+               break;
+       case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+       case SNDRV_PCM_TRIGGER_RESUME:
+@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_p
+               cable->pause &= ~stream;
+               loopback_timer_start(dpcm);
+               spin_unlock(&cable->lock);
++              if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++                      loopback_active_notify(dpcm);
+               break;
+       default:
+               return -EINVAL;
+@@ -893,9 +897,11 @@ static int loopback_active_get(struct sn
+                       [kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+       unsigned int val = 0;
+ 
+-      if (cable != NULL)
+-              val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+-                                                                      1 : 0;
++      if (cable != NULL) {
++              unsigned int running = cable->running ^ cable->pause;
++
++              val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
++      }
+       ucontrol->value.integer.value[0] = val;
+       return 0;
+ }

diff --git a/queue-4.9/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch b/queue-4.9/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
new file mode 100644 (file)
index 0000000..c9309ae
--- /dev/null
+++ b/queue-4.9/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
@@ -0,0 +1,38 @@
+From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 May 2018 08:48:46 +0200
+Subject: ALSA: pcm: Check PCM state at xfern compat ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
+
+Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
+further and hit the sanity check pcm_sanity_check() when the ioctl is
+called right after open.  It may eventually spew a kernel warning, as
+triggered by syzbot, depending on kconfig.
+
+The lack of PCM state check there was just an oversight.  Although
+it's no real crash, the spurious kernel warning is annoying, so let's
+add the proper check.
+
+Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -426,6 +426,8 @@ static int snd_pcm_ioctl_xfern_compat(st
+               return -ENOTTY;
+       if (substream->stream != dir)
+               return -EINVAL;
++      if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
++              return -EBADFD;
+ 
+       if ((ch = substream->runtime->channels) > 128)
+               return -EINVAL;

diff --git a/queue-4.9/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch b/queue-4.9/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
new file mode 100644 (file)
index 0000000..98af4ca
--- /dev/null
+++ b/queue-4.9/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
@@ -0,0 +1,53 @@
+From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Apr 2018 09:17:45 +0200
+Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8f22e52528cc372b218b5f100457469615c733ce upstream.
+
+The sequencer virmidi code has an open race at its output trigger
+callback: namely, virmidi keeps only one event packet for processing
+while it doesn't protect for concurrent output trigger calls.
+
+snd_virmidi_output_trigger() tries to process the previously
+unfinished event before starting encoding the given MIDI stream, but
+this is done without any lock.  Meanwhile, if another rawmidi stream
+starts the output trigger, this proceeds further, and overwrites the
+event package that is being processed in another thread.  This
+eventually corrupts and may lead to the invalid memory access if the
+event type is like SYSEX.
+
+The fix is just to move the spinlock to cover both the pending event
+and the new stream.
+
+The bug was spotted by a new fuzzer, RaceFuzzer.
+
+BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_virmidi.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s
+                       }
+                       return;
+               }
++              spin_lock_irqsave(&substream->runtime->lock, flags);
+               if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
+                       if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
+-                              return;
++                              goto out;
+                       vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
+               }
+-              spin_lock_irqsave(&substream->runtime->lock, flags);
+               while (1) {
+                       count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+                       if (count <= 0)

diff --git a/queue-4.9/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch b/queue-4.9/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
new file mode 100644 (file)
index 0000000..9794d14
--- /dev/null
+++ b/queue-4.9/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
@@ -0,0 +1,58 @@
+From 4f32ac2e452c2180cd2df581cbadac183e27ecd0 Mon Sep 17 00:00:00 2001
+From: Danit Goldberg <danitg@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:54 +0300
+Subject: IB/mlx5: Use unlimited rate when static rate is not supported
+
+From: Danit Goldberg <danitg@mellanox.com>
+
+commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
+
+Before the change, if the user passed a static rate value different
+than zero and the FW doesn't support static rate,
+it would end up configuring rate of 2.5 GBps.
+
+Fix this by using rate 0; unlimited, in cases where FW
+doesn't support static rate configuration.
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Danit Goldberg <danitg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2168,18 +2168,18 @@ enum {
+ 
+ static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate)
+ {
+-      if (rate == IB_RATE_PORT_CURRENT) {
++      if (rate == IB_RATE_PORT_CURRENT)
+               return 0;
+-      } else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) {
++
++      if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS)
+               return -EINVAL;
+-      } else {
+-              while (rate != IB_RATE_2_5_GBPS &&
+-                     !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
+-                       MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
+-                      --rate;
+-      }
+ 
+-      return rate + MLX5_STAT_RATE_OFFSET;
++      while (rate != IB_RATE_PORT_CURRENT &&
++             !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
++               MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
++              --rate;
++
++      return rate ? rate + MLX5_STAT_RATE_OFFSET : rate;
+ }
+ 
+ static int modify_raw_packet_eth_prio(struct mlx5_core_dev *dev,

diff --git a/queue-4.9/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch b/queue-4.9/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
new file mode 100644 (file)
index 0000000..e0ad75d
--- /dev/null
+++ b/queue-4.9/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
@@ -0,0 +1,46 @@
+From f372b81101e6895252298e563d634d5e44ae81e7 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Wed, 25 Apr 2018 15:22:13 -0700
+Subject: Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit f372b81101e6895252298e563d634d5e44ae81e7 upstream.
+
+This patch adds the correct platform data information for the Caroline
+Chromebook, so that the mouse button does not get stuck in pressed state
+after the first click.
+
+The Samus button keymap and platform data definition are the correct
+ones for Caroline, so they have been reused here.
+
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Salvatore Bellizzi <lkml@seppia.net>
+Tested-by: Guenter Roeck <groeck@chromium.org>
+Cc: stable@vger.kernel.org
+[dtor: adjusted vendor spelling to match shipping firmware]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3028,6 +3028,15 @@ static const struct dmi_system_id mxt_dm
+               .driver_data = samus_platform_data,
+       },
+       {
++              /* Samsung Chromebook Pro */
++              .ident = "Samsung Chromebook Pro",
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "Google"),
++                      DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"),
++              },
++              .driver_data = samus_platform_data,
++      },
++      {
+               /* Other Google Chromebooks */
+               .ident = "Chromebook",
+               .matches = {

diff --git a/queue-4.9/input-leds-fix-out-of-bound-access.patch b/queue-4.9/input-leds-fix-out-of-bound-access.patch
new file mode 100644 (file)
index 0000000..1371b0e
--- /dev/null
+++ b/queue-4.9/input-leds-fix-out-of-bound-access.patch
@@ -0,0 +1,56 @@
+From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 6 Apr 2018 10:23:05 -0700
+Subject: Input: leds - fix out of bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream.
+
+UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with
+led > LED_CHARGING:
+
+[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds]
+[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128
+
+This happens because we were writing to the led structure before making
+sure that it exists.
+
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input-leds.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input-leds.c
++++ b/drivers/input/input-leds.c
+@@ -88,6 +88,7 @@ static int input_leds_connect(struct inp
+                             const struct input_device_id *id)
+ {
+       struct input_leds *leds;
++      struct input_led *led;
+       unsigned int num_leds;
+       unsigned int led_code;
+       int led_no;
+@@ -119,14 +120,13 @@ static int input_leds_connect(struct inp
+ 
+       led_no = 0;
+       for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
+-              struct input_led *led = &leds->leds[led_no];
++              if (!input_led_info[led_code].name)
++                      continue;
+ 
++              led = &leds->leds[led_no];
+               led->handle = &leds->handle;
+               led->code = led_code;
+ 
+-              if (!input_led_info[led_code].name)
+-                      continue;
+-
+               led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
+                                          dev_name(&dev->dev),
+                                          input_led_info[led_code].name);

diff --git a/queue-4.9/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch b/queue-4.9/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
new file mode 100644 (file)
index 0000000..512baeb
--- /dev/null
+++ b/queue-4.9/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
@@ -0,0 +1,43 @@
+From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Thu, 26 Apr 2018 14:30:13 +0800
+Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream.
+
+This patch adds support for PID 0x90b2 of ublox R410M.
+
+qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
+[/dev/cdc-wdm0] Device manufacturer retrieved:
+        Manufacturer: 'u-blox'
+
+qmicli -d /dev/cdc-wdm0 --dms-get-model
+[/dev/cdc-wdm0] Device model retrieved:
+        Model: 'SARA-R410M-02B'
+
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/qmi_wwan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -803,6 +803,7 @@ static const struct usb_device_id produc
+       {QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+       {QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+       {QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++      {QMI_FIXED_INTF(0x05c6, 0x90b2, 3)},    /* ublox R410M */
+       {QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+       {QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+       {QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)}, /* YUGA CLM920-NC5 */

diff --git a/queue-4.9/rdma-cxgb4-release-hw-resources-on-device-removal.patch b/queue-4.9/rdma-cxgb4-release-hw-resources-on-device-removal.patch
new file mode 100644 (file)
index 0000000..c076e09
--- /dev/null
+++ b/queue-4.9/rdma-cxgb4-release-hw-resources-on-device-removal.patch
@@ -0,0 +1,155 @@
+From 26bff1bd74a4f7417509a83295614e9dab995b2a Mon Sep 17 00:00:00 2001
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Mon, 23 Apr 2018 21:42:37 +0530
+Subject: RDMA/cxgb4: release hw resources on device removal
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+commit 26bff1bd74a4f7417509a83295614e9dab995b2a upstream.
+
+The c4iw_rdev_close() logic was not releasing all the hw
+resources (PBL and RQT memory) during the device removal
+event (driver unload / system reboot). This can cause panic
+in gen_pool_destroy().
+
+The module remove function will wait for all the hw
+resources to be released during the device removal event.
+
+Fixes c12a67fe(iw_cxgb4: free EQ queue memory on last deref)
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/device.c   |    9 ++++++++-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h |    4 ++++
+ drivers/infiniband/hw/cxgb4/resource.c |   26 ++++++++++++++++++++++++--
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/device.c
++++ b/drivers/infiniband/hw/cxgb4/device.c
+@@ -856,6 +856,11 @@ static int c4iw_rdev_open(struct c4iw_rd
+ 
+       rdev->status_page->db_off = 0;
+ 
++      init_completion(&rdev->rqt_compl);
++      init_completion(&rdev->pbl_compl);
++      kref_init(&rdev->rqt_kref);
++      kref_init(&rdev->pbl_kref);
++
+       return 0;
+ err_free_status_page:
+       free_page((unsigned long)rdev->status_page);
+@@ -872,12 +877,14 @@ destroy_resource:
+ 
+ static void c4iw_rdev_close(struct c4iw_rdev *rdev)
+ {
+-      destroy_workqueue(rdev->free_workq);
+       kfree(rdev->wr_log);
+       free_page((unsigned long)rdev->status_page);
+       c4iw_pblpool_destroy(rdev);
+       c4iw_rqtpool_destroy(rdev);
++      wait_for_completion(&rdev->pbl_compl);
++      wait_for_completion(&rdev->rqt_compl);
+       c4iw_destroy_resource(&rdev->resource);
++      destroy_workqueue(rdev->free_workq);
+ }
+ 
+ static void c4iw_dealloc(struct uld_ctx *ctx)
+--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
+@@ -186,6 +186,10 @@ struct c4iw_rdev {
+       struct wr_log_entry *wr_log;
+       int wr_log_size;
+       struct workqueue_struct *free_workq;
++      struct completion rqt_compl;
++      struct completion pbl_compl;
++      struct kref rqt_kref;
++      struct kref pbl_kref;
+ };
+ 
+ static inline int c4iw_fatal_error(struct c4iw_rdev *rdev)
+--- a/drivers/infiniband/hw/cxgb4/resource.c
++++ b/drivers/infiniband/hw/cxgb4/resource.c
+@@ -260,12 +260,22 @@ u32 c4iw_pblpool_alloc(struct c4iw_rdev
+               rdev->stats.pbl.cur += roundup(size, 1 << MIN_PBL_SHIFT);
+               if (rdev->stats.pbl.cur > rdev->stats.pbl.max)
+                       rdev->stats.pbl.max = rdev->stats.pbl.cur;
++              kref_get(&rdev->pbl_kref);
+       } else
+               rdev->stats.pbl.fail++;
+       mutex_unlock(&rdev->stats.lock);
+       return (u32)addr;
+ }
+ 
++static void destroy_pblpool(struct kref *kref)
++{
++      struct c4iw_rdev *rdev;
++
++      rdev = container_of(kref, struct c4iw_rdev, pbl_kref);
++      gen_pool_destroy(rdev->pbl_pool);
++      complete(&rdev->pbl_compl);
++}
++
+ void c4iw_pblpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+       PDBG("%s addr 0x%x size %d\n", __func__, addr, size);
+@@ -273,6 +283,7 @@ void c4iw_pblpool_free(struct c4iw_rdev
+       rdev->stats.pbl.cur -= roundup(size, 1 << MIN_PBL_SHIFT);
+       mutex_unlock(&rdev->stats.lock);
+       gen_pool_free(rdev->pbl_pool, (unsigned long)addr, size);
++      kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+ 
+ int c4iw_pblpool_create(struct c4iw_rdev *rdev)
+@@ -312,7 +323,7 @@ int c4iw_pblpool_create(struct c4iw_rdev
+ 
+ void c4iw_pblpool_destroy(struct c4iw_rdev *rdev)
+ {
+-      gen_pool_destroy(rdev->pbl_pool);
++      kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+ 
+ /*
+@@ -333,12 +344,22 @@ u32 c4iw_rqtpool_alloc(struct c4iw_rdev
+               rdev->stats.rqt.cur += roundup(size << 6, 1 << MIN_RQT_SHIFT);
+               if (rdev->stats.rqt.cur > rdev->stats.rqt.max)
+                       rdev->stats.rqt.max = rdev->stats.rqt.cur;
++              kref_get(&rdev->rqt_kref);
+       } else
+               rdev->stats.rqt.fail++;
+       mutex_unlock(&rdev->stats.lock);
+       return (u32)addr;
+ }
+ 
++static void destroy_rqtpool(struct kref *kref)
++{
++      struct c4iw_rdev *rdev;
++
++      rdev = container_of(kref, struct c4iw_rdev, rqt_kref);
++      gen_pool_destroy(rdev->rqt_pool);
++      complete(&rdev->rqt_compl);
++}
++
+ void c4iw_rqtpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+       PDBG("%s addr 0x%x size %d\n", __func__, addr, size << 6);
+@@ -346,6 +367,7 @@ void c4iw_rqtpool_free(struct c4iw_rdev
+       rdev->stats.rqt.cur -= roundup(size << 6, 1 << MIN_RQT_SHIFT);
+       mutex_unlock(&rdev->stats.lock);
+       gen_pool_free(rdev->rqt_pool, (unsigned long)addr, size << 6);
++      kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+ 
+ int c4iw_rqtpool_create(struct c4iw_rdev *rdev)
+@@ -383,7 +405,7 @@ int c4iw_rqtpool_create(struct c4iw_rdev
+ 
+ void c4iw_rqtpool_destroy(struct c4iw_rdev *rdev)
+ {
+-      gen_pool_destroy(rdev->rqt_pool);
++      kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+ 
+ /*

diff --git a/queue-4.9/rdma-mlx5-protect-from-shift-operand-overflow.patch b/queue-4.9/rdma-mlx5-protect-from-shift-operand-overflow.patch
new file mode 100644 (file)
index 0000000..10ce99a
--- /dev/null
+++ b/queue-4.9/rdma-mlx5-protect-from-shift-operand-overflow.patch
@@ -0,0 +1,62 @@
+From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:53 +0300
+Subject: RDMA/mlx5: Protect from shift operand overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
+
+Ensure that user didn't supply values too large that can cause overflow.
+
+UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
+shift exponent -2147483648 is negative
+CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
+Trace:
+dump_stack+0xde/0x164
+ubsan_epilogue+0xe/0x81
+set_rq_size+0x7c2/0xa90
+create_qp_common+0xc18/0x43c0
+mlx5_ib_create_qp+0x379/0x1ca0
+create_qp.isra.5+0xc94/0x2260
+ib_uverbs_create_qp+0x21b/0x2a0
+ib_uverbs_write+0xc2c/0x1010
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+do_syscall_64+0x1aa/0x740
+entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x433569
+RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
+RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
+RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
+R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
+R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -253,7 +253,11 @@ static int set_rq_size(struct mlx5_ib_de
+       } else {
+               if (ucmd) {
+                       qp->rq.wqe_cnt = ucmd->rq_wqe_count;
++                      if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
++                              return -EINVAL;
+                       qp->rq.wqe_shift = ucmd->rq_wqe_shift;
++                      if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
++                              return -EINVAL;
+                       qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
+                       qp->rq.max_post = qp->rq.wqe_cnt;
+               } else {

diff --git a/queue-4.9/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch b/queue-4.9/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
new file mode 100644 (file)
index 0000000..900ee23
--- /dev/null
+++ b/queue-4.9/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
@@ -0,0 +1,39 @@
+From 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Thu, 19 Apr 2018 08:28:11 -0700
+Subject: RDMA/ucma: Allow resolving address w/o specifying source address
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 upstream.
+
+The RDMA CM will select a source device and address by consulting
+the routing table if no source address is passed into
+rdma_resolve_address().  Userspace will ask for this by passing an
+all-zero source address in the RESOLVE_IP command.  Unfortunately
+the new check for non-zero address size rejects this with EINVAL,
+which breaks valid userspace applications.
+
+Fix this by explicitly allowing a zero address family for the source.
+
+Fixes: 2975d5de6428 ("RDMA/ucma: Check AF family prior resolving address")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -676,7 +676,7 @@ static ssize_t ucma_resolve_ip(struct uc
+       if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+               return -EFAULT;
+ 
+-      if (!rdma_addr_size_in6(&cmd.src_addr) ||
++      if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
+           !rdma_addr_size_in6(&cmd.dst_addr))
+               return -EINVAL;
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index fd0815eaf79f9e6a8571a71c604ff6e1b6292514..b41b8b5d6be5a6107618efbd9ac330bba81ec5f4 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -5,3 +5,16 @@ arm-arm64-kvm-add-psci-version-selection-api.patch
 crypto-talitos-fix-ipsec-cipher-in-length.patch
 serial-imx-ensure-ucr3-and-ufcr-are-setup-correctly.patch
 usb-serial-option-add-support-for-quectel-ep06.patch
+alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
+alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
+alsa-aloop-mark-paused-device-as-inactive.patch
+alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
+tracepoint-do-not-warn-on-enomem.patch
+input-leds-fix-out-of-bound-access.patch
+input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
+xfs-prevent-creating-negative-sized-file-via-insert_range.patch
+rdma-cxgb4-release-hw-resources-on-device-removal.patch
+rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
+rdma-mlx5-protect-from-shift-operand-overflow.patch
+net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
+ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch

diff --git a/queue-4.9/tracepoint-do-not-warn-on-enomem.patch b/queue-4.9/tracepoint-do-not-warn-on-enomem.patch
new file mode 100644 (file)
index 0000000..979d41a
--- /dev/null
+++ b/queue-4.9/tracepoint-do-not-warn-on-enomem.patch
@@ -0,0 +1,60 @@
+From d66a270be3310d7aa132fec0cea77d3d32a0ff75 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Thu, 15 Mar 2018 08:44:24 -0400
+Subject: tracepoint: Do not warn on ENOMEM
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream.
+
+Tracepoint should only warn when a kernel API user does not respect the
+required preconditions (e.g. same tracepoint enabled twice, or called
+to remove a tracepoint that does not exist).
+
+Silence warning in out-of-memory conditions, given that the error is
+returned to the caller.
+
+This ensures that out-of-memory error-injection testing does not trigger
+warnings in tracepoint.c, which were seen by syzbot.
+
+Link: https://lkml.kernel.org/r/001a114465e241a8720567419a72@google.com
+Link: https://lkml.kernel.org/r/001a1140e0de15fc910567464190@google.com
+Link: http://lkml.kernel.org/r/20180315124424.32319-1-mathieu.desnoyers@efficios.com
+
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Jiri Olsa <jolsa@redhat.com>
+CC: Arnaldo Carvalho de Melo <acme@kernel.org>
+CC: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+CC: Namhyung Kim <namhyung@kernel.org>
+CC: stable@vger.kernel.org
+Fixes: de7b2973903c6 ("tracepoint: Use struct pointer instead of name hash for reg/unreg tracepoints")
+Reported-by: syzbot+9c0d616860575a73166a@syzkaller.appspotmail.com
+Reported-by: syzbot+4e9ae7fa46233396f64d@syzkaller.appspotmail.com
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/tracepoint.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -202,7 +202,7 @@ static int tracepoint_add_func(struct tr
+                       lockdep_is_held(&tracepoints_mutex));
+       old = func_add(&tp_funcs, func, prio);
+       if (IS_ERR(old)) {
+-              WARN_ON_ONCE(1);
++              WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+               return PTR_ERR(old);
+       }
+ 
+@@ -235,7 +235,7 @@ static int tracepoint_remove_func(struct
+                       lockdep_is_held(&tracepoints_mutex));
+       old = func_remove(&tp_funcs, func);
+       if (IS_ERR(old)) {
+-              WARN_ON_ONCE(1);
++              WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+               return PTR_ERR(old);
+       }
+ 

diff --git a/queue-4.9/xfs-prevent-creating-negative-sized-file-via-insert_range.patch b/queue-4.9/xfs-prevent-creating-negative-sized-file-via-insert_range.patch
new file mode 100644 (file)
index 0000000..b6d1a9d
--- /dev/null
+++ b/queue-4.9/xfs-prevent-creating-negative-sized-file-via-insert_range.patch
@@ -0,0 +1,70 @@
+From 7d83fb14258b9961920cd86f0b921caaeb3ebe85 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 16 Apr 2018 23:07:45 -0700
+Subject: xfs: prevent creating negative-sized file via INSERT_RANGE
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 7d83fb14258b9961920cd86f0b921caaeb3ebe85 upstream.
+
+During the "insert range" fallocate operation, i_size grows by the
+specified 'len' bytes.  XFS verifies that i_size + len < s_maxbytes, as
+it should.  But this comparison is done using the signed 'loff_t', and
+'i_size + len' can wrap around to a negative value, causing the check to
+incorrectly pass, resulting in an inode with "negative" i_size.  This is
+possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
+ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
+
+Fix it by using subtraction instead.
+
+Reproducer:
+    xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
+
+Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: <stable@vger.kernel.org> # v4.1+
+Originally-From: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: fix signed integer addition overflow too]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_file.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -846,22 +846,26 @@ xfs_file_fallocate(
+               if (error)
+                       goto out_unlock;
+       } else if (mode & FALLOC_FL_INSERT_RANGE) {
+-              unsigned int blksize_mask = i_blocksize(inode) - 1;
++              unsigned int    blksize_mask = i_blocksize(inode) - 1;
++              loff_t          isize = i_size_read(inode);
+ 
+-              new_size = i_size_read(inode) + len;
+               if (offset & blksize_mask || len & blksize_mask) {
+                       error = -EINVAL;
+                       goto out_unlock;
+               }
+ 
+-              /* check the new inode size does not wrap through zero */
+-              if (new_size > inode->i_sb->s_maxbytes) {
++              /*
++               * New inode size must not exceed ->s_maxbytes, accounting for
++               * possible signed overflow.
++               */
++              if (inode->i_sb->s_maxbytes - isize < len) {
+                       error = -EFBIG;
+                       goto out_unlock;
+               }
++              new_size = isize + len;
+ 
+               /* Offset should be less than i_size */
+-              if (offset >= i_size_read(inode)) {
++              if (offset >= isize) {
+                       error = -EINVAL;
+                       goto out_unlock;
+               }